First, I don't think the way it was used was "secure". I think it could be changed by the user himself.

Second, the field probably still existsin the database, but a way to change it is not exposed. The names in quotations Risker mentions are probably that field, migrated from mailman2.

Third, for such private I think we should aim for having:

a) A mapping of the private list and the membership condition (e.g. user needs to belong to either group A on wiki x or group B in wiki Y). This could live in puppet, a lists repo, etc.

b) A daily cron which automatically unsubscribes from each private list the mailman3 users in the list which don't have the wiki email linked to a user with the applicabe permission.

This way, even if moderators lost track of someone no longer being a X (or made a mistake sigining up the wrong user), it would be automatically corrected at most after 24 hours.

Note the user wouldn't need to use the same email address on-wiki and on mailman. Jusr to have mailman know that the wiki mall belongs to the same mailan account.

Bonus would be not to let a user join the list without the needed requirement, but that seems more complex.

Best regards